From notifications-return-45228-archive-asf-public=cust-asf.ponee.io@accumulo.apache.org Mon Oct 1 19:18:34 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 660E9180677 for ; Mon, 1 Oct 2018 19:18:34 +0200 (CEST) Received: (qmail 9605 invoked by uid 500); 1 Oct 2018 17:18:33 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 9594 invoked by uid 99); 1 Oct 2018 17:18:33 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Oct 2018 17:18:33 +0000 From: GitBox To: notifications@accumulo.apache.org Subject: [GitHub] PircDef commented on a change in pull request #108: Add documentation for crypto Message-ID: <153841431292.11392.12995896089936333691.gitbox@gitbox.apache.org> Date: Mon, 01 Oct 2018 17:18:32 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit PircDef commented on a change in pull request #108: Add documentation for crypto URL: https://github.com/apache/accumulo-website/pull/108#discussion_r221688650 ########## File path: _docs-2-0/administration/crypto.md ########## @@ -0,0 +1,108 @@ +--- +title: On Disk Encryption +category: administration +order: 14 +--- + +For an additional layer of security, Accumulo can encrypt files stored on disk. On Disk encryption was reworked +for 2.0, making it easier to configure and more secure. The files that can be encrypted include: [RFiles][design] and Write Ahead Logs (WALs). +For information on encrypting data over the wire see the section on [SSL]. For information on cryptographic client-server authentication see the section on [Kerberos]. + +## Configuration + +To encrypt all tables on disk, encryption must be enabled before an Accumulo instance is initialized. If on disk +encryption is enabled on an existing cluster, only files created after it is enabled will be encrypted +(root and metadata tables will not be encrypted in this case) and existing data won't be encrypted until compaction. To configure on disk encryption, add the +{% plink instance.crypto.service %} property to your `accumulo.properties` file. The value of this property is the +class name of the service which will perform crypto on RFiles and WALs. +``` +instance.crypto.service=org.apache.accumulo.core.security.crypto.impl.AESCryptoService +``` +Out of the box, Accumulo provides the `AESCryptoService` for basic encryption needs. This class provides AES encryption +with Galois/Counter Mode (GCM) for RFiles and Cipher Block Chaining (CBC) mode for WALs. The additional properties +below are required by this crypto service to be set using the {% plink instance.crypto.opts.* %} prefix. +``` +instance.crypto.opts.key.provider=uri +instance.crypto.opts.key.location=file:///secure/path/to/crypto-key-file +``` +The first property tells the crypto service how it will get the key encryption key. The second property tells the service +where to find the key. For now, the only valid values are "uri" and the path to the key file. The key file can be 16 or 32 bytes. +Initializing Accumulo after these instance properties are set, will enable on disk encryption across your entire cluster. Review comment: For testing, I've just been using openssl's random: openssl rand -out /path/to/keyfile 32 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org With regards, Apache Git Services